Deploying Xcode 8 via Self-Service - a how-to

RobertHammen
Valued Contributor II

cc72a836d59f4d589a70bea2ec545e07
Worked this out with @rtrouton based on both his installation script as well as the one located at cobbservations.wordpress.com

Wanted to offer Xcode 8 (requires OS X 10.11.5 or later) to our user population via Self Service.

Downloaded the Xcode 8 installation package from the App Store using the App Store Capture Methodology (yes, VPP would be better), described at:

https://derflounder.wordpress.com/2013/10/19/downloading-microsofts-remote-desktop-installer-package-from-the-app-store/

Added the 4.43GB installation package to the JSS, created a Self Service policy to install it, and used this script below (set to Run After) to handle all of the post-installation processing (so that users are not prompted for admin credentials). You may want to customize the script for your environment (we don't disable the Gatekeeper validation, and our users are already developers, nor do we have multiple versions of Xcode installed, so those line-items are disabled, but it's your call):

#!/bin/bash

# Accept EULA so there is no prompt

if [[ -e "/Applications/Xcode.app/Contents/Developer/usr/bin/xcodebuild" ]]; then
  "/Applications/Xcode.app/Contents/Developer/usr/bin/xcodebuild" -license accept
fi

# Just in case the xcodebuild command above fails to accept the EULA, set the license acceptance info 
# in /Library/Preferences/com.apple.dt.Xcode.plist. For more details on this, see Tim Sutton's post: 
# http://macops.ca/deploying-xcode-the-trick-with-accepting-license-agreements/

if [[ -e "/Applications/Xcode.app/Contents/Resources/LicenseInfo.plist" ]]; then

   xcode_version_number=`/usr/bin/defaults read "/Applications/Xcode.app/Contents/"Info CFBundleShortVersionString`
   xcode_build_number=`/usr/bin/defaults read "/Applications/Xcode.app/Contents/Resources/"LicenseInfo licenseID`
   xcode_license_type=`/usr/bin/defaults read "/Applications/Xcode.app/Contents/Resources/"LicenseInfo licenseType`

   if [[ "${xcode_license_type}" == "GM" ]]; then
       /usr/bin/defaults write "/Library/Preferences/"com.apple.dt.Xcode IDEXcodeVersionForAgreedToGMLicense "$xcode_version_number"
       /usr/bin/defaults write "/Library/Preferences/"com.apple.dt.Xcode IDELastGMLicenseAgreedTo "$xcode_build_number"
    else
       /usr/bin/defaults write "/Library/Preferences/"com.apple.dt.Xcode IDEXcodeVersionForAgreedToBetaLicense "$xcode_version_number"
       /usr/bin/defaults write "/Library/Preferences/"com.apple.dt.Xcode IDELastBetaLicenseAgreedTo "$xcode_build_number"
   fi       

fi

# DevToolsSecurity tool to change the authorization policies, such that a user who is a
# member of either the admin group or the _developer group does not need to enter an additional
# password to use the Apple-code-signed debugger or performance analysis tools.

/usr/sbin/DevToolsSecurity -enable

# Add all users to developer group, if they're not admins

/usr/sbin/dseditgroup -o edit -a everyone -t group _developer

# If you have multiple versions of Xcode installed, specify which one you want to be current.

/usr/bin/xcode-select --switch /Applications/Xcode.app

# Bypass Gatekeeper verification for Xcode, which can take awhile.

if [[ -e "/Applications/Xcode.app" ]]; then xattr -dr com.apple.quarantine /Applications/Xcode.app
fi

# Install Mobile Device Packages so there is no prompt

if [[ -e "/Applications/Xcode.app/Contents/Resources/Packages/MobileDevice.pkg" ]]; then
  /usr/sbin/installer -dumplog -verbose -pkg "/Applications/Xcode.app/Contents/Resources/Packages/MobileDevice.pkg" -target /
fi

if [[ -e "/Applications/Xcode.app/Contents/Resources/Packages/MobileDeviceDevelopment.pkg" ]]; then
  /usr/sbin/installer -dumplog -verbose -pkg "/Applications/Xcode.app/Contents/Resources/Packages/MobileDeviceDevelopment.pkg" -target /
fi

# Install XcodeSystemResources.pkg so there is no prompt

if [[ -e "/Applications/Xcode.app/Contents/Resources/Packages/XcodeSystemResources.pkg" ]]; then
  /usr/sbin/installer -dumplog -verbose -pkg "/Applications/Xcode.app/Contents/Resources/Packages/XcodeSystemResources.pkg" -target /
fi

exit 0
35 REPLIES 35

Wakko
Contributor II

Awesome work gentleman. I'll try this out later today, you have made this request so much easier.
Muy bueno.

donmontalvo
Esteemed Contributor III

Wow...I may owe @RobertHammen a beer, and @rtrouton a Pepsi at JNUC2016...if they're going this year. :)

PS, any way to get the Additional Components installed without having to snapshoot? Thought the last two sections to install PKGs would eliminate that?

33878fbcb6104e879b59fd7e7522d201
b13e098596964af3860222c38a8fb0e1

--
https://donmontalvo.com

RobertHammen
Valued Contributor II

@donmontalvo Not seeing that. Are you sure the script is running? Because it should handle the licensing and install the components...

donmontalvo
Esteemed Contributor III

@RobertHammen hmm...I'll double check now, will shout back.

--
https://donmontalvo.com

Byte
New Contributor

@donmontalvo @RobertHammen @rtrouton

I get the prompt when going to xcode - preferences - components and i try to download an ios simulator
What part of this script is actually covering this?
Im running versions 7.3.1, 8.0 and 8.1GMSeed
Help please

RobertHammen
Valued Contributor II

@MaCaDmIn82 Simulators are a different story.

Some of the info documented here is still relevant:

Tim Sutton's Blog

Basically, you can start the download on your Mac, and the downloads still go to:

~/Library/Caches/com.apple.dt.Xcode/Downloads

However, be aware:

1) the dmg files don't show up in the Finder, at least on my Mac (had to use Terminal)
2) after I mounted one of those dmg's, they also appeared empty/the pkg files had to be accessed/copied via Terminal

Might just be an anomaly on my Mac.

Anyway, you'd have to capture the .pkg files for the simulators, and install them/check where the files were actually installed - if in the Xcode app bundle itself, or in /Library, you're OK, but if in the ~/Library folder hierarchy, obviously you have a larger issue...

dferrara
Contributor II

@RobertHammen Great work and thank you for sharing!

ctarbox
Contributor II

@RobertHammen... Newbie here. Just wanted to say I tested this approach and it worked flawlessy (El Cap 10.11.6/xCode 8.2.1).

And learning how to capture. pkg's from MAS was very helpful too.

baldiesrt
New Contributor

The debug menu is gone in Sierra.

Use this link instead of the one above to get the package from MAS
https://derflounder.wordpress.com/2015/11/19/downloading-installer-packages-from-the-mac-app-store-with-appstoreextract/

baldiesrt
New Contributor

Disregard!

jimmy-swings
Contributor II

Just out of interest, why not download Xcode directly from developer.apple.com?

dstranathan
Valued Contributor II

It still requires a "hop" from a browser to the Mac App Store app (and an Apple ID etc). It's not a "direct" download, correct?

RobertHammen
Valued Contributor II

@jazzyj When I go to download Xcode from developer.apple.com it takes me right to the App Store to download. Previous versions on that site have a .XIP file which is significantly larger than the App Store .pkg file, and to which no native tools can use.

dfarnworth_b
New Contributor III

If you go to developer.apple.com, and click Downloads on the left then scroll to the bottom, there's a link saying: "Don't see what you're looking for? See more downloads", click that and you can download the XIP. Or the direct URL is https://developer.apple.com/download/more/

donmontalvo
Esteemed Contributor III

@dfarnworth_barc pretty sure you're thinking of older versions of Xcode being downloadable. New version will always direct you to App Store. [See correction below] Apple provides downloads for versions are provided so developers can run concurrent versions and use xcode-select to toggle between versions. Like when a developer needs to create something for an older iOS version that the new version of Xcode doesn't support iOS Simulators for that iOS version.

@RobertHammen My apologies, I forgot to circle back after testing. The only difference between this process and ours, we don't hijack Apple's App Store packages. Instead we allow App Store to install, and we grab it from there. This way we don't get in the way of the App Store process, and a proper _MASReceipt is present.

Pretty sure first launch prompted me, thinking back it may have been to install or update Command Line Tools. We ended up adding a line to the script to run /usr/bin/xcode-select --install, but I have to search through my notes.

We were packaging iOS Simulators but are trying to avoid having to deal with that madness (that's a lot of bits dude!)...we opened a ticket with AppleCare Enterprise Support to see if they've got a command line method to install so we don't have to reinvent the wheel.

c9696e3b60ab438f836386f053ec36ed

Yea, admin rights would alleviate this, but we have to play by the rules. Admin rights where I'm employed requires a Security Exception. Queue in the occasional "You're not doing it my way, so you're doing it rong!" mantras...#rollsEyes

Not interested in being on the front page of <redacted> with the headline"Famous company hacked because IT Department was too cool to give a $#!+". My mom isn't famous, so being employable is a thing for most of us.

--
https://donmontalvo.com

gregneagle
Valued Contributor

Xcode is still available for (non-App Store) download from the Apple Developer site. You need to be a registered developer.

donmontalvo
Esteemed Contributor III

@gregneagle hmmm...the 8.3.2 download link https://developer.apple.com/download/ takes us back to App Store.

Is there a hidden link you might want to share? :):):)

EDIT: I stand corrected: http://adcdownload.apple.com/Developer_Tools/Xcode_8.3.2/Xcode8.3.2.xip

--
https://donmontalvo.com

Byte
New Contributor

@donmontalvo We were packaging iOS Simulators but are trying to avoid having to deal with that madness (that's a lot of bits dude!)...we opened a ticket with AppleCare Enterprise Support to see if they've got a command line method to install so we don't have to reinvent the wheel.

Let me know if you do get a response of some sort as I do it the manual way as well and no admin rights for my users
Would love to know if apple has a solution to this

Cheers

franton
Valued Contributor III

I solved the simulator issue by allowing the user to install them without admin rights. I've a highly modified script I run after Xcode deployment to make it all possible.

https://github.com/franton/Xcode-Scripts/blob/master/finalise.sh

djdavetrouble
Contributor III

Thanks @franton great script, saved me a bit of time!

donmontalvo
Esteemed Contributor III

Using the collaborative script(s) on this forum..here is what we got from Apple regarding iOS Simulators requiring admin rights:

Hello Don, I reviewed the script you provided and, because "everyone" is being added to the developer group, you can modify the authorizations database to allow developers to install Apple provided software by running the following command: sudo security authorizationdb write system.install.apple-software authenticate-developer System Integrity Protection(SIP) will not prevent you from performing this task. Please note that the combination of adding everyone to the _developer group and allowing any member of _developer to install Apple provided software means that any user can install Apple provided software. If that presents a concern, you'll need to modify your script to add specific users to _developer instead of adding everyone. Please let me know if you have additional questions. Regards, XXXXXXXX

Basically added these two commands to @RobertHammen's excellent and quite useful script:

# Install Command Line Tools.

if [[ /usr/bin/xcode-select ]]; then
    /usr/bin/xcode-select --install
fi

# Allow any member of _developer to install Apple provided software.

/usr/bin/security authorizationdb write system.install.apple-software authenticate-developer
--
https://donmontalvo.com

donmontalvo
Esteemed Contributor III

@MaCaDmIn82 confirmed two things today.

First, this command, added to @RobertHammen's script, as per AppleCare Enterprise Support, does indeed enable non-admin developers to install iOS Simulators without prompting for admin rights. #fistPump:

/usr/bin/security authorizationdb write system.install.apple-software authenticate-developer

Confirmed that deplying non-App Store copy of Apple Xcode 8.3.2, and following it up with the Command Line Tools for that same version, available from the https://developer.apple.com/download/more/ site did the trick.

Install is silent, whether someone is logged on to the Mac or not...and whether the user has admin rights or not.

Just in time for the weekend!
Don

--
https://donmontalvo.com

gregneagle
Valued Contributor
this command, added to @RobertHammen's script, as per AppleCare Enterprise Support, does indeed enable non-admin developers to install iOS Simulators without prompting for admin rights. #fistPump:
/usr/bin/security authorizationdb write system.install.apple-software authenticate-developer

Pretty sure this allows anyone in the developer group (and since you've added everyone to the developer group, allows everyone) to install anything from softwareupdate without prompting for admin rights (system.install.apple-software). That might be acceptable, but make sure you understand the ramifications. It may also allow the install of other "apple-software" from other sources.

donmontalvo
Esteemed Contributor III

@gregneagle understood, and agreed. The AppleCare Engineer explained that would happen. We discussed risk, support, etc.

Two options for VPP deployment of Xcode. Apple's suggestion that elevates rights for install of Apple related stuff, or Local Admin Privileges (user requests security exception) that elevates rights across the board. We can provide most of the automation as a policy that user has to trigger through Self Service, but there is a hole.

If we deploy non-AppStore version of Xcode, we can add Command Line tools, and all the settings/suppression, to the payload. This should cover all prompts, but we are still getting a prompt due to only one of three additional required component packages installing (strange; looking into it). Same hole as VPP method.

f33328f9434844f2816593d5c1ed2301

Our intent is to provide deployment via VPP plus one Self Service policy, which results in user getting the limited elevated rights as suggested by Apple.

Or to deployment the old way, by deploying non-AppStore version, plus Command Line Tools, plus the script that gives user limited elevated rights as suggested by Apple.

The third option would be user can either submit a request for a security exception (to get Local Admin Privileges), or call Help Desk each time he/she gets a prompt.

Its good to know Apple is taking these admin prompts seriously, hopefully they'll do something soon so we won't have to jump through so many hoops to deploy their software. :)

--
https://donmontalvo.com

franton
Valued Contributor III

@gregneagle @donmontalvo I can't go into too much detail (work NDA etc) but I've been facing this exact problem. I've tested a couple of the privilege escalation tools (avecto being the big one) only to find they don't actually work with Xcode.

I hit on the authorisation db change because our users are not admin, and being able to install Apple updates is actually a big concern of our CISO dept: namely they want the OS patched and I don't care if users do it, or my system implementation does it :)

GabeShack
Valued Contributor III

Question to @franton @donmontalvo @RobertHammen ,
Lets say this was not done through self service, would this script then have to be run per user at login? Or could we run the bulk of the script once and just have users added to the developer group at login? Since all the users are not logged in yet, my question is the script adding any user created after the script is run to the developers group or does this have to happen as they login and get created?

Gabe Shackney
Princeton Public Schools

Gabe Shackney
Princeton Public Schools

franton
Valued Contributor III

Nope, you run this exactly once. Nothing user specific in my script.

donmontalvo
Esteemed Contributor III

+1

@franton will we see you at this year's JNUC?

--
https://donmontalvo.com

franton
Valued Contributor III

October 26th, 11:30am in the Greenway Ballroom. I'm the Smart Card talk :D

eng
New Contributor II

I wrote a tool today that should help others to download and ultimately install Xcode simulators via pkg installations. It's called "makexcodesimulators".

This has only been tested with Xcode 9.3 but it should theoretically work on older versions. Hope it helps.

makexcodesimulators

franton
Valued Contributor III

@eng that's very nice. nice work! I ended up approaching things from a different angle and I now include this code with my org's finalisation script. It allows non admin users to install the same products by themselves. I have not found any adverse effects from this ... yet.

# alter authorisation database to allow installation of apple components without admin rights
security authorizationdb read system.install.apple-software > /tmp/xcode.plist
defaults write /tmp/xcode.plist rule -array authenticate-session-owner-or-admin
security authorizationdb write system.install.apple-software < /tmp/xcode.plist

eng
New Contributor II

Our users are admins, but we have "build servers" to test our apps prior to release.

We needed something that could be fully automated and unfortunately I had to figure out what it is that Xcode was doing.

This tool will parse out all of the simulators available for your version of Xcode and allow you to download them. After it downloads, it wraps the original Apple installed with productbuild using the customLocation key to allow the package to properly install. But the original package still has its signing certificates in case Apple is validating this somewhere else.

I imagine Apple uses relative links because they have changed the install path three times now, but my hope is the current folder is now the permanent one (/Library/Developer/continue/long/path)

stephaniemm77
Contributor

Hello Anyone know if this script still works in 10.4?

robertojok
Contributor

@stephaniemm77 @eng the script doesn't work anymore. It was the greatest help indeed. I hope @eng will revisit it.

franton
Valued Contributor III

This thing is over seven years old now. Good chance anything that old is not likely to work anymore.

I'll not likely be revisiting it because my current employer allows full admin rights to developers, so it's not required.